All EU institutions have the legal obligation to keep a central register of records of activities processing personal data (Article 31 of Regulation 2018/1725).
The register shall contain at least the following information (Article 31(1) of the Regulation):
- name and contact details of the controller, the data protection officer and, where applicable, the processor and the joint controller;
- the purposes of the processing;
- description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- where applicable, transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures to protect those personal data.
The list of records of EDPS activities processing personal data, with hyperlinks to the relevant record, follows.